What's missing in openbsd

[bsdcord]

Hi,
I think that openbsd is good in perimeter defense but not much in the inner defense.
For example there are few or none papers on forensics. There are few way to check the integrity of your system. I think this is a very important step in security because if you have been hacked your don't know. If you know, you haven't been hacked (defaces are not hacking...they are just pranks) .
Thus every user should periodically make a deep check of their system. In openbsd there a script called "security" that makes some check but, imho, it's rather ridiculous. Could be good in the 80' but not today.
One other thing is missing in openbsd is a memory forensics framework like "rekall" or "volatility". Today a memory forensics software is a necessity because some malware are much easier to detect them on memory rather than on the disk (maybe they are encrypted on the disk or very hidden). But of course they must be resident in memory to run.
Tools like aide, could be useful but not with kernel rootkit. If anyone is enough skilled to hack your openbsd box, it's rather sure he will not install a userland malware.

[jggimi]

Along with your limited awareness of shipped OS and kernel integrity controls, you may not be aware of Kernel Address Randomized Link ("KARL") introduced in 2017. Once OpenBSD is installed, each booted kernel is unique, with unique offsets between program and data. During boot, a new kernel is created for use with the next boot. The local integrity chain is maintained through sha256(1) hashes.